Jump to content
Snarg

Removing fake customers

Recommended Posts

For reasons I don't understand, some bot, script or person with *WAY* to much time on their hands is making fake accounts on my site. How do I go about deleting those accounts? Thank you for your time.

fake.jpg

Share this post


Link to post
Share on other sites

There are several threads regarding this on this subject. There's no simple way to remove them in a stock shop. You can do one of the following:

  • If there are not too many, you can manually delete them in admin->Customers.
  • If there are too many to delete manually, you can delete them by editing the database. How easy this is depends on when the accounts were created and if there is something in common with them, like the same in each.

To prevent it from happening again,

  • If you can determine the country that the accounts are being added from and if you won't sell to that country, then remove the country from the countries list in admin or install an addon or package that blocks countries if your host doesn't provide that option.
  • If you can determine the IP of those that created the account, you could block those IP's. There are addons meant to store the IP if you don't have one installed.

Share this post


Link to post
Share on other sites

@Snarg same here, very similar to what you show. About 1 or 2 a day. I've been manually deleting.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Fake accounts are usually opened for the purpose of either spamming you, or using the store as a platform for spamming others via tell-a-friend, messaging, etc. Thus, it is good to keep them under control. I don't know if removing a country from the list will do any good -- they'll simply pick another country. In the (presumably made up?) example, they would just pick some other random country than Angola. That would be like playing whack-a-mole until you're down to one last country. I suppose you could do something to publish a list of countries you will (or won't) sell to, and silently automatically trash any account signed up for the banned countries. The fake account will simply vanish into the memory hole.

Something more productive might be to put new accounts' outputs (tell-a-friend, etc.) on preview of some sort, where nothing actually goes out until you've reviewed it. That's more work for you, of course. To avoid running afoul of privacy laws, you'd probably have to tell the "customer" that you're reading their posts and mailings, and even then, there might be trouble. However, it might be enough to discourage those looking to abuse your system (unless you simply turn off t-a-f etc.).

Forums and blogs face the same problem. If you can't stop them at the border (CAPTCHAs, etc. on signup to stop bots), you have to monitor what they're outputting to others and clamp down if they appear to be abusive. At least, on a forum or blog posting no one can claim a right to privacy in their communications. Almost anything you can do to stop spamming is going to create more work for you or more work for a real customer. Welcome to the Real World.

Can tell-a-friend, etc. be disabled until a customer has purchased something? Can tell-a-friend mailings be checked that they have a legitimate link to one of your products or categories, otherwise they're silently trashed? Just some ideas.

Share this post


Link to post
Share on other sites

here's one:  from ip: 

188.138.188.34
 
IP Location Moldova, Republic Of Moldova, Republic Of Chisinau Starnet Solutii Srl
ASN Moldova, Republic Of AS31252 STARNET-AS, MD (registered Mar 31, 2004)
Resolve Host

188-138-188-34.starnet.md

Will be blocking 188.138.188.0 - 188.138.188.255 via my cp

Edited by altoid

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites
1 minute ago, JcMagpie said:

I had to clean a db of old customers a few months ago and found this add-on very useful.

You may want to look at my Database Optimizer.

Share this post


Link to post
Share on other sites
3 minutes ago, MrPhil said:

Something more productive might be to put new accounts' outputs (tell-a-friend, etc.) on preview of some sort, where nothing actually goes out until you've reviewed it.

That is a good idea but won't help in this case since it the creation of accounts causing a problem. And if that is put on hold for approval, the shop would probably lose sales.

Share this post


Link to post
Share on other sites

Well, the idea is that if the spammer knows that you will be previewing their mailings and weeding out spam (for a while, anyway), hopefully they won't sign up in the first place.

Share this post


Link to post
Share on other sites

Sorry about that I mistakenly uploaded the old code! This is what I used to clean the db. The plus was I could filter the large db by date  and do a delet between dates or delet individual customers.

As Jack said using the optimizer will probably help tidy up the db. Also not wating too long before cleaning would also help 😊 a little weekly house keeping would have avoided me having to clean 10 year old unused accounts!

image.thumb.png.d37376aa0d2e294d0ef396f70d5d9ef8.png

 

inactiveuser_CE_2_4.zip


 

Share this post


Link to post
Share on other sites
41 minutes ago, douglaswalker said:

Would the Honey pot work

Assuming you mean my addon,  it uses javascript for the create account page and javascript can be bypassed by spammers.  It can't be bypassed on the contact us page because that also uses php code. 

What could be done is to add code to store the IP and the date of account creation and then refuse new accounts if it is from the same IP and within XX amount of time. That won't stop it but it should cut it down quite a bit. I already have the code for that in the Pro version of View Counter. I'll see about adding it to the next Honey Pot version.

Share this post


Link to post
Share on other sites

I have found that my main issue on my osC test site is the contact_us page! I have it set so you can only resend after 30 miniutes but the sod's get round this by just using different emails.

From look into this I think that the only solution is to install Google captcha to this and any other forms like make account and reviews, basickly any submit saving to db should have it applied.

Only problem is this requires quite a lot of core changes in osC to implament fully.


 

Share this post


Link to post
Share on other sites
27 minutes ago, JcMagpie said:

From look into this I think that the only solution is to install Google captcha to this and any other forms like make account and reviews, basickly any submit saving to db should have it applied.

See the Honey Pot addon. There are only a few changes needed. It stops 100% of spam by bots on the contact us page and is completely transparent to the customer.

Share this post


Link to post
Share on other sites
5 minutes ago, puddlec said:

are they using the same IP address?
if they are you could block them, that way.

That will work but there's isn't any code in place to capture the IP unless something was added.

Share this post


Link to post
Share on other sites

I have used a basic image captcha on that page but they get round it somehow! IP's are all over the place  so that's not an option.

I've just installed the Google reCAPTCHA found this add-on by @Demitry in the apps! must have missed it before!

https://apps.oscommerce.com/f2UI4&recaptcha-2-form-validation-for-bs-edge

Install needed a small edit to core files and to each page you need it on. Did not work for contactus page was a small error in code, Not found a support thread linked to the app

but the change was easy fix,

simply change in install instructions all cases of

require(DIR_WS_CLASSES . 'recaptcha.php');
 
to
require('includes/classes/recaptcha.php');
So let's see if the sod's get past this one.

 

Share this post


Link to post
Share on other sites

Action Recorder

Could not create_account be protected with an action recorder module ?

Recaptcha

Protect create_account with a Recapcha as well?

IP Address

Store IP address as part of account creation.  Isn't everyone doing that anyway per GDPR ? 😂

Back End

What about a backend page that allows shopowner to drill down customers [and delete them], eg show me;

  • customers who registered between X date and Y date
  • and/or have not logged in since
  • and/or have made no orders

Self Approve

How about getting customer to approve themselves (rather than be admin approved).  
IE, they create account & immediately logged out.  They have to check their email to access a page which "open sesame" their account and access to checkout procedure.  Obviously not right for all shops, but some shops that might be suitable for.

That's 5 ideas that spring to mind immediately...

 

Edited by burt

This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
35 minutes ago, Jack_mcs said:

It stops 100% of spam by bots on the contact us

Just checked Jack and it looks as if I have honypot on all the sites that have no spam! the few that have spam problems did not have it! So I guess problem solved! Note to self, stop beeing stupid and use what already works 😂. HoneyPot beeing installed now.


 

Share this post


Link to post
Share on other sites
7 hours ago, MrPhil said:

...In the (presumably made up?) example...

Nope, not made up :)

 

Thank you for the advise. We only sell in the United States, so I guess I'll turn all the other countries off.

Share this post


Link to post
Share on other sites
3 hours ago, puddlec said:

are they using the same IP address?
if they are you could block them, that way.

Proxies.

Share this post


Link to post
Share on other sites
3 hours ago, burt said:

Back End

What about a backend page that allows shopowner to drill down customers [and delete them], eg show me;

  • customers who registered between X date and Y date
  • and/or have not logged in since
  • and/or have made no orders

 

The options, or lack of, for sorting and displaying customers seems to be...lacking...at best.

Share this post


Link to post
Share on other sites

When I select one of these fake accounts, I get a bunch of errors. Should I be worried?

 

customer.jpg

Edited by Snarg

Share this post


Link to post
Share on other sites
37 minutes ago, MrPhil said:

Exactly what osC version? What PHP version? Yes, you should worry about such errors.

osCommerce Online Merchant v2.3.4
PHP Version 5.6.39

Please note, I *only* get those errors when clicking on the name of  a fake account. Never for a real account. I am concerned it's some kind of hacking thing.

Share this post


Link to post
Share on other sites

I presume that's the "official" osC 2.3.4? I'm not sure it will properly run at PHP 5.6. The community-supported osC 2.3.4.1BS "Frozen" (see link in my signature) will go to at least PHP 7.1, so you should strongly consider upgrading your shop. As for why only "fake" accounts exhibit this behavior, I have never heard of this behavior. I suppose it's somewhat possible that there is some fishy data stored with these accounts, but offhand I can't think of what it could be. Maybe you could go into phpMyAdmin and take a look at one of these problem-causing fake accounts, and compare them with a normal real account, and see if there is anything in the customer data that looks like a script (HTML tags) or something else odd. Are you sure it's only fake accounts, or are those the only ones you tried this operation on? This is only selecting the account, and you haven't pressed Delete yet?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×